Abstract: Disclosed herein are methods, systems, and processes for tracking honeytokens. A malicious attack from an attacker is received at a honeypot and a determination is made that an attack event associated with the malicious attack has compromised deceptive credential information maintained by the honeypot. A unique credential pair that corresponds to the deceptive credential information sought by the attack event is generated and a honeytoken tracker state table is modified to include the unique credential pair and attack event metadata in association with the attack event. The unique credential pair is then transmitted to the attacker and the honeytoken tracker state table is synchronized with a honeypot management system. Another malicious attack is detected, the honeytoken tracker state table is accessed, and the malicious attacker is correlated to the attacker.

Abstract: A data encryption system receives data to be encrypted prior to being transmitted to a storage unit. The received data is analyzed to determine a secure storage approach based on a risk level associated with the received data. In response to the risk level satisfying a threshold risk level the data encryption system uses a convergent encryption technique to encrypt the received data, but in response to the risk level failing to satisfy the threshold risk level, the data encryption system encrypts the received data using a key based on a random number. The encrypted data is transmitted to a storage unit.

Abstract: A control device in a vehicle: determines whether the control device is detached from the vehicle; communicates with other control devices mounted in the vehicle; stores an encryption key; performs a calculation process necessary for communication; and prohibits execution of the calculation process using the encryption key when determining that the control device is detached from the vehicle.

Abstract: A network monitoring “sensor” is built on initial startup by checking the integrity of the bootstrap system and, if it passes, downloading information from which it builds the full system including an encrypted and an unencrypted portion. Later, the sensor sends hashes of files, configurations, and other local information to a data center, which compares the hashes to hashes of known-good versions. If they match, the data center returns information (e.g., a key) that the sensor can use to access the encrypted storage. If they don't, the data center returns information to help remediate the problem, a command to restore some or all of the sensor's programming and data, or a command to wipe the encrypted storage. The encrypted storage stores algorithms and other data for processing information captured from a network, plus the captured/processed data itself.

Abstract: A network monitoring “sensor” is built on initial startup by checking the integrity of the bootstrap system and, if it passes, downloading information from which it builds the full system including an encrypted and an unencrypted portion. Later, the sensor sends hashes of files, configurations, and other local information to a data center, which compares the hashes to hashes of known-good versions. If they match, the data center returns information (e.g., a key) that the sensor can use to access the encrypted storage. If they don't, the data center returns information to help remediate the problem, a command to restore some or all of the sensor's programming and data, or a command to wipe the encrypted storage. The encrypted storage stores algorithms and other data for processing information captured from a network, plus the captured/processed data itself.

Abstract: Detecting emergent abnormal behavior in a computer network faster and more accurately allows for the security of the network against malicious parties to be improved. To detect abnormal behavior, outbound traffic is examined from across several devices and processes in the network to identify rarely communicated-with destinations that are associated with rarely-executed processes. As a given destination and process is used more frequently over time by the network, the level of suspicion associated with that destination and process is lowered as large groups of devices are expected to behave the same when operating properly and not under the control of a malicious party. Analysts are alerted in near real-time to the destinations associated with the activities deemed most suspicious.

Abstract: Various examples for identifying clusters of instances of managed devices within a management service are described. Clusters are identified based upon a policy strength score of the respective instances. The policy strength scores can be generated based upon the security settings of the instance within the management service.

Abstract: Arrangements for automatically authenticating a user based on a signals-based footprint of the user are provided. In some examples, an authentication device may continuously scan a predefined area surrounding the authentication device. Upon detecting a user device, a determination may be made as to whether the device is detected for at least a threshold amount of time. If so, user data may be requested. In some examples, the user data may be requested from, for example, a mobile device of a user and may include biometric signature data, such as heart rate, respiratory rate, and the like. User response data may be received and compared to pre-stored data and, if the user response data meets or exceeds a threshold confidence level, the user may be automatically authenticated. If not, additional user authentication information, such as a username and password, personal identification number (PIN), or the like, may be requested to authenticate the user.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to improve feature engineering efficiency. An example method disclosed herein includes retrieving a log file in a first file format, the log file containing feature occurrence data, generating a first unit operation based on the first file format to extract the feature occurrence data from the log file to a string, the first unit operation associated with a first metadata tag, generating second unit operations to identify respective features from the feature occurrence data, the second unit operations associated with respective second metadata tags, and generating a first sequence of the first metadata tag and the second metadata tags to create a first vector output file of the feature occurrence data.

Abstract: Disclosed herein is a technique for migrating data between a first device and a second device via a private wireless network hosted by the first device. According to some embodiments, the private wireless network is established based on a code generated by the first device. The second device derives wireless network parameters associated with the private wireless network and connects to the private wireless network. In turn, the data migration can commence when a connection between the first device and the second device has been established.

Abstract: A computer processing node is described that is configured to perform a control flow integrity (CFI) method on a protected process operating on the processing node. The CFI method includes intercepting a system call originating from execution of the protected process executing in the runtime environment. A fast path operating within a kernel of the computer system accesses, from a kernel memory, a processor trace packet corresponding to the system call. The fast path attempts to establish a match between the processor trace packet and a program control flow (edge) entry within a credit-labeled control flow graph (CFG) definition having an associated credit value. The credit value represents a degree to which the program control flow is credible.

Abstract: An online system maintains pages and accesses a graph of nodes representing the pages. Each node is labeled to indicate that a corresponding page is for a real-world entity, an imposter of the real-world entity, or a derived entity complying with or violating a policy. The online system retrieves machine-learning models, each of which is trained based on labels for a set of the nodes and features of corresponding pages. A first model predicts whether a page is for a derived entity based on features of the page. Responsive to predicting the page is not for a derived entity, a second model predicts whether the page is for a real-world entity or an imposter based on features of the page. Responsive to predicting the page is for a derived entity, a third model predicts whether the derived entity complies with or violates the policy based on features of the page.

Abstract: Enforcing memory operand types using protection keys is generally described herein. A processor system to provide sandbox execution support for protection key rights attacks includes a processor core to execute a task associated with an untrusted application and execute the task using a designated page of a memory; and a memory management unit to designate the page of the memory to support execution of the untrusted application.

Abstract: A system and method allows a user to register one or more PINs on one or more user devices, and then authenticates the user to a server via the PIN and a token deposited on the user device being used by the user to allow access to an application on the user device. Individual tokens, or all tokens deposited on the user devices for a user account, may be invalidated, and the user is prevented from authenticating himself or herself via a PIN to allow access to an application on any device for which the last token deposited was invalidated, until the same or different PIN is registered for that device.

Abstract: A network monitoring “sensor” is built on initial startup by checking the integrity of the bootstrap system and, if it passes, downloading information from which it builds the full system including an encrypted and an unencrypted portion. Later, the sensor sends hashes of files, configurations, and other local information to a data center, which compares the hashes to hashes of known-good versions. If they match, the data center returns information (e.g., a key) that the sensor can use to access the encrypted storage. If they don't, the data center returns information to help remediate the problem, a command to restore some or all of the sensor's programming and data, or a command to wipe the encrypted storage. The encrypted storage stores algorithms and other data for processing information captured from a network, plus the captured/processed data itself.

Abstract: A security system using automatic and scalable log pattern learning in security log analysis is provided. The security system includes one or more management services configured to generate security logs, and a security log analysis service operatively coupled to the one or more management services. The security log analysis service is configured to collect the security logs generated by the one or more management services, implement an incremental learning process to generate a set of log patterns from the collected security logs, parse the collected security logs using the set of log patterns, and analyze the parsed security logs for one or more security applications.

Abstract: One general aspect of encryption key management by a data storage controller which communicates with asynchronous key servers is directed to issue a prepare for enable command to request an encryption key from an encryption key server. State machine logic transitions from an unconfigured state to a prepare for enable state in which key server mirror management logic receives from a key server a requested encryption key and caches the received key. In an enabling state, enablement logic verifies successful mirroring of the encryption key by a key server to another key server and activates the encryption key if key mirroring by key servers is verified. In an enabled state, data is encrypted using the verified, activated encryption key. Other features and aspects may be realized, depending upon the particular application.

Abstract: A network monitoring “sensor” is built on initial startup by checking the integrity of the bootstrap system and, if it passes, downloading information from which it builds the full system including an encrypted and an unencrypted portion. Later, the sensor sends hashes of files, configurations, and other local information to a data center, which compares the hashes to hashes of known-good versions. If they match, the data center returns information (e.g., a key) that the sensor can use to access the encrypted storage. If they don't, the data center returns information to help remediate the problem, a command to restore some or all of the sensor's programming and data, or a command to wipe the encrypted storage. The encrypted storage stores algorithms and other data for processing information captured from a network, plus the captured/processed data itself.

Abstract: Aspects described herein may allow for the receiving, from a detection service, a plurality of configuration parameters, wherein each configuration parameter includes a type of a risk and an associated level of the risk, with a corresponding automated remediation action for each configuration parameter. A remediation management framework authenticates the detection service for access to the remediation management framework and initiates a scanning of a system of interest, based on the plurality of configuration parameters, by the detection service, to identify one or more risk findings. The remediation management framework receives the identified one more risk findings; and matches each of the one or more risk findings with the plurality of configuration parameters, which then triggers by the remediation management framework, the corresponding automated remediation action associated with each of the one or more risk findings.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to monitor code as it executes. The code can include self-modifying code. The system can log an event if the self-modifying code occurred in a GetPC address region.